CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24531 – Output of "go env" does not sanitize values in cmd/go
https://notcve.org/view.php?id=CVE-2023-24531
02 Jul 2024 — Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making "go env" print them out. Está documentado que el comando go env ... • https://go.dev/cl/488375 •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2024-24787 – Arbitrary code execution during build on Darwin in cmd/go
https://notcve.org/view.php?id=CVE-2024-24787
08 May 2024 — On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive. En Darwin, crear un módulo Go que contenga CGO puede desencadenar la ejecución de código arbitrario cuando se usa la versión Apple de ld, debido al uso del indicador -lto_library en una directiva "#cgo LDFLAGS". • https://github.com/LOURC0D3/CVE-2024-24787-PoC •